extension: apply VPC source NAT in implement(network) for VPC tiers

weizhouapache · weizhouapache · commit 78eda30b5ed0 · 2026-04-15T08:54:17.000+02:00
implementVpc() is called from startVpc()/restartVpc() which may run before
any tier network exists (e.g. at initial VPC creation time). In that case
it cannot find an anchor network and skips source NAT assignment.
Fix: also apply the VPC-level source NAT IP inside implement(network) when
the network belongs to a VPC. The script is idempotent so calling assign-ip
multiple times (once per tier implement, and again from implementVpc on
restart) is harmless.
diff --git a/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/network/NetworkExtensionElement.java b/framework/extensions/src/main/java/org/apache/cloudstack/framework/extensions/network/NetworkExtensionElement.java
@@ -452,17 +452,31 @@ public boolean implement(Network network, NetworkOffering offering, DeployDestin
             return false;
         }
 
-        // Step 3: Configure source NAT for non-VPC networks.
-        // VPC source NAT is managed at implementVpc().
-        if (network.getVpcId() == null && canHandle(network, Service.SourceNat)) {
-            try {
-                Account owner = accountService.getAccount(network.getAccountId());
-                PublicIpAddress existingIp = networkModel.getSourceNatIpAddressForGuestNetwork(owner, network);
-                if (existingIp != null) {
-                    applyIps(network, List.of(existingIp), Set.of(Service.SourceNat));
+        // Step 3: Configure source NAT.
+        if (canHandle(network, Service.SourceNat)) {
+            if (network.getVpcId() == null) {
+                // Isolated network: apply the network's own source NAT IP.
+                try {
+                    Account owner = accountService.getAccount(network.getAccountId());
+                    PublicIpAddress existingIp = networkModel.getSourceNatIpAddressForGuestNetwork(owner, network);
+                    if (existingIp != null) {
+                        applyIps(network, List.of(existingIp), Set.of(Service.SourceNat));
+                    }
+                } catch (Exception e) {
+                    logger.warn("Failed to configure source NAT IP for network {}: {}", network.getId(), e.getMessage(), e);
+                }
+            } else {
+                // VPC tier: apply the VPC-level source NAT IP.
+                // implementVpc() may have been called before any tier existed (no-op then),
+                // so we eagerly apply it here on every tier implement; the script is idempotent.
+                try {
+                    final PublicIpAddress vpcSourceNatIp = getVpcSourceNatIp(network.getVpcId());
+                    if (vpcSourceNatIp != null) {
+                        applyIps(network, List.of(vpcSourceNatIp), Set.of(Service.SourceNat));
+                    }
+                } catch (Exception e) {
+                    logger.warn("Failed to configure VPC source NAT IP for VPC tier network {}: {}", network.getId(), e.getMessage(), e);
                 }
-            } catch (Exception e) {
-                logger.warn("Failed to configure source NAT IP for network {}: {}", network.getId(), e.getMessage(), e);
             }
         }
 
